TenantAtlas/app/Providers/AuthServiceProvider.php

<?php

namespace App\Providers;

use App\Models\PlatformUser;
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\User;
use App\Policies\ProviderConnectionPolicy;
use App\Services\Auth\CapabilityResolver;
use App\Support\Auth\Capabilities;
use App\Support\Auth\PlatformCapabilities;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Gate;

class AuthServiceProvider extends ServiceProvider
{
    protected $policies = [
        ProviderConnection::class => ProviderConnectionPolicy::class,
    ];

    public function boot(): void
    {
        $this->registerPolicies();

        $resolver = app(CapabilityResolver::class);

        $defineTenantCapability = function (string $capability) use ($resolver): void {
            Gate::define($capability, function (User $user, Tenant $tenant) use ($resolver, $capability): bool {
                return $resolver->can($user, $tenant, $capability);
            });
        };

        foreach (Capabilities::all() as $capability) {
            $defineTenantCapability($capability);
        }

        foreach (PlatformCapabilities::all() as $capability) {
            Gate::define($capability, function (PlatformUser $user) use ($capability): bool {
                return $user->hasCapability($capability);
            });
        }
    }
}